Bogleheads.org

[Alex Frakt]

update - the attacker did manage to figure out the passwords on several accounts. All of the accounts used very basic passwords like "stocks" or "bogleheads". Please change your password if it doesn't meet the guidelines below or if you have any concerns. See this response on page 2 of this thread for more details: viewtopic.php?f=3&t=96039&start=50#p1395370

Someone has been attempting a brute force attack run through anonymous proxy servers to try to guess user passwords on our site. They have not been successful and we are actively responding to the attacks to make sure it stays that way. To give a little more detail, someone has written a program that runs through the member list and attempts to login to each users account by entering random passwords. In anticipation of such attacks, our software only allows a small number of missed passwords before taking steps to lock out the attacker. We are now taking additional steps to keep this from interrupting the site, I don't want to go into the specifics of this for obvious reasons.

The question is what should you, our members, do about this. In most cases the answer is nothing. The attacker has not gotten into our database or successfully infiltrated anyone's account. The only effect it will have on you is that, until this is over, you may be asked to answer a simple question along with entering your username and password when logging in. The text of the message you will see if this is the case is "You exceeded the maximum allowed number of login attempts. In addition to your username and password you now also have to solve the CAPTCHA below."

Should you change your password? This attack does not create a specific need to change your password. However, if you broke any of the following rules of thumb when initially creating your password, you might want to take this opportunity to create something more secure. Again this is not something tied to the attack, it's just a generally good idea to follow these password guidelines:

These guidelines are based on analyses of lists of passwords posted by hackers who have successfully broken into various commercial web sites.

- Don't use a basic keyboard pattern or alphanumeric like qwerty or 123456 or abc123.
- Don't use common first or last names, the site name, your username or your e-mail address.
- Don't use password (or passw0rd), letmein, iloveyou or common terms of endearment like honey, princess or (for some reason) monkey.

And the most important rule:

- Don't use the same password for general sites (like ours) that you use for sites like banks and brokerages.

If you do want to change your password, click User Control Panel (it's a couple of lines under the Bogleheads logo at top left), then the Profile tab, then Edit Account Settings. Here's a direct link: http://www.bogleheads.org/forum/ucp.php?i=profile&mode=reg_details. While you are on that page, please check that the e-mail address we have for you is still valid. If you are locked out or forget your password, that's where the reset message will go.

edit - in addition to the one's mentioned above, here's a list of the passwords that have been hit in similar attacks
000000 abc123 aeiou angel asdf1 asdfg ashley babygirl baseball baseball1 batman blahblah cheese christ computer daniel dragon football freedom fuck fucked fuckyou grace iloveyou iloveyou1 iloveyou2 internet jessica jesus jesus1 jordan killer letmein love master matrix maverick michael michelle monkey mustang nicole nintendo passw0rd Password password1 pepper pokemon princess pussy qazwsx qwerty1 secret shadow single soccer starwards sunshine superman susan swordfish testing tigger trustno1 victory welcome whatever 1234 4321 6969 12345 54321 111111 121212 123123 654321 666666 1111111 7654321 7777777 87654321 123456789

[Mrs.Feeley]

Thank you for the update. The obvious question is why would anyone want to attack a message forum such as this one? To use it to send out phishing spam? To learn e-mail addresses and perhaps names of people with Vanguard accounts? Or perhaps they're just misguided about the potential value of such a hacking enterprise.

I got the log-on error message last night.

[Renaissance Man]

Man Your Battle Stations!

[Simplegift]

Good job, Alex. Thanks for keeping us informed of developments.

[Alex Frakt]

Thank you for the update. The obvious question is why would anyone want to attack a message forum such as this one? To use it to send out phishing spam? To learn e-mail addresses and perhaps names of people with Vanguard accounts? Or perhaps they're just misguided about the potential value of such a hacking enterprise.

I got the log-on error message last night.

I have seen reports of other message boards getting hit with the same thing. Here's the first official report on it from the people who created our forum software - http://www.phpbb.com/community/viewtopi ... &t=1947925

The speculation is that this may be the next step by spammers. We've gotten pretty good at keeping spammers out through techniques like requiring moderator approval of the first post from new members and not allowing images or links in a member's first few posts. But if a spammer can login as an established user, they could flood the forum with spam until the moderators get around to manually cleaning it off. Since they only get a few chances per username, it's unlikely to be very effective, but since it's all automated and, no doubt, run through compromised computers, it costs the spammer very little to try.

[Alex Frakt]

More research. Here's a list of the passwords being used during a similar attack on another phpbb board. If any of these are your password, you should probably change it. Note that even if you do use one of these, the attacker was only able to try a handful of times before being locked out, so you are probably still OK.

000000 abc123 aeiou angel asdf1 asdfg ashley babygirl baseball baseball1 batman blahblah cheese christ computer daniel dragon football freedom fuck fucked fuckyou grace iloveyou iloveyou1 iloveyou2 internet jessica jesus jesus1 jordan killer letmein love master matrix maverick michael michelle monkey mustang nicole nintendo passw0rd Password password1 pepper pokemon princess pussy qazwsx qwerty1 secret shadow single soccer starwards sunshine superman susan swordfish testing tigger trustno1 victory welcome whatever 1234 4321 6969 12345 54321 111111 121212 123123 654321 666666 1111111 7654321 7777777 87654321 123456789

[xerty24]

000000 abc123 aeiou angel asdf1 asdfg ashley babygirl baseball baseball1 batman blahblah cheese christ computer daniel dragon football freedom fuck fucked fuckyou grace iloveyou iloveyou1 iloveyou2 internet jessica jesus jesus1 jordan killer letmein love master matrix maverick michael michelle monkey mustang nicole nintendo passw0rd Password password1 pepper pokemon princess pussy qazwsx qwerty1 secret shadow single soccer starwards sunshine superman susan swordfish testing tigger trustno1 victory welcome whatever 1234 4321 6969 12345 54321 111111 121212 123123 654321 666666 1111111 7654321 7777777 87654321 123456789

And I thought surely no one would guess my long passphrase with 50+ unrelated words and numbers. Guess it's time to go back to Monkey1234 .

[Pacific]

Password

Really??

[nisiprius]

Password

Really??

Really. Probably a common reaction of users to being told "type password." I think it's usually cluelessness plain and simple, not misplaced cleverness.

I recognize the "swordfish" reference but I have to wonder how common it really is. (Bad movie with hackers-as-heroes).

[VictoriaF]

More research. Here's a list of the passwords being used during a similar attack on another phpbb board. If any of these are your password, you should probably change it. Note that even if you do use one of these, the attacker was only able to try a handful of times before being locked out, so you are probably still OK.

victory

Close call

Victoria

[sscritic]

victory

Close call

Victoria

Victor Victoria eh? Now which is the password?

[Toons]

Thanks for the update

[VictoriaF]

victory

Close call

Victoria

Victor Victoria eh? Now which is the password?

You can try all three. On the second thought, please don't. Otherwise, I will be asked solving CAPTCHA for the rest of my life.

Victoria

[FabLab]

Thanks, Alex, for the update. Please let us know if there's any way we can help out.

Cheers

[VictoriaF]

Thanks, Alex, for the update. Please let us know if there's any way we can help out.

We can guess Alex' password and do his job while he sleeps.

Victoria

[SSSS]

pepper pokemon princess pussy

How did they know the name of my cat??

[VictoriaF]

pepper pokemon princess pussy

How did they know the name of my cat??

The concept of the Pokémon universe, in both the video games and the general fictional world of Pokémon, stems from the hobby of insect collecting, a popular pastime which Pokémon executive director Satoshi Tajiri-Oniwa enjoyed as a child.

Is your cat fond of collecting insects, or is your hobby collecting insects from your cat?

Victoria

[FabLab]

pepper pokemon princess pussy

How did they know the name of my cat??

Easy. Alliteration was the next thing to expect after a repetitively lettered user name

[prudent]

I recognize the "swordfish" reference but I have to wonder how common it really is. (Bad movie with hackers-as-heroes).

The use of "swordfish" as a password started in the Marx Brothers movie Horse Feathers, way back in 1932!

[retiredjg]

Thanks Alex. We can always depend on you!

[Taylor Larimore]

What does "CAPTCHA" mean (to lazy to go to google) ?

Thank you and best wishes.
Taylor

[VictoriaF]

What does "CAPTCHA" mean (to lazy to go to google) ?

Thank you and best wishes.
Taylor

Hi Taylor,

CAPTCHA is some text written in a jagged way, or partly shaded, or using different fonts and sizes, or some combination of these -- so that a human can read it but text-recognition software would get confused. The human then types what he has read into a box to prove that he is a human.

Victoria

[Peculiar_Investor]

What does "CAPTCHA" mean (to lazy to go to google) ?

Thank you and best wishes.
Taylor

"Completely Automated Public Turing test to tell Computers and Humans Apart" per CAPTCHA - Wikipedia.

Also see Luis von Ahn: Massive-scale online collaboration | Video on TED.com, for an interesting talk from the inventor.

[baw703916]

CAPTCHA refers to a random word or phrase (typically written in some nonstandard, not easily machine-readable script--although that isn't the case in this site's impementation). The person trying to log in is asked to type in the word displayed--so a bot trying to enter the site would have to not only know the password, but be able to respond in real time to what the page displays.

Thanks to the previous poster for explaining how the term originated.

[Taylor Larimore]

Bogleheads:

Thank you for quick answer to my question.

Best wishes.
Taylor

[porcupine]

victory

Close call

Victoria

Victor Victoria eh? Now which is the password?

You can try all three. On the second thought, please don't. Otherwise, I will be asked solving CAPTCHA for the rest of my life.

Victoria

Wisecrack #1: Well, will help keep your math skills up-to-date.
Wisecrack #2: At least it is just a CAPTCHA not a Sudoku!! :wnik:

- Porcupine

[VictoriaF]

victory

Close call

Victoria

Victor Victoria eh? Now which is the password?

You can try all three. On the second thought, please don't. Otherwise, I will be asked solving CAPTCHA for the rest of my life.

Victoria

Wisecrack #1: Well, will help keep your math skills up-to-date.
Wisecrack #2: At least it is just a CAPTCHA not a Sudoku!!

- Porcupine

I prefer SET to Sudoku.

"Alzheimer's" would make a good password. By typing it often enough one may avoid the disease itself.

Victoria

[SSSS]

What does "CAPTCHA" mean (to lazy to go to google) ?

Basically it works like this:

[Lbill]

Is HACKER an acceptable password?

[Remy Winchester]

LMAO @ the "F" Series of password attempts,

[mind_boggled]

This is what we get for talking bad about high frequency trading. We have angered the machines.

[goggles]

Alex, thanks for dealing with this stuff.

I hope you liked the Turing test joke!

[tludwig23]

Arg, had to solve the CAPTCHA to login. Hopefully won't have to do this every time.

Thanks for the warning and explanations, Alex.

[rob]

What does "CAPTCHA" mean (to lazy to go to google) ?

Thank you and best wishes.
Taylor

Hi Taylor,

CAPTCHA is some text written in a jagged way, or partly shaded, or using different fonts and sizes, or some combination of these -- so that a human can read it but text-recognition software would get confused. The human then types what he has read into a box to prove that he is a human.

Victoria

Except I am always getting the damn things wrong...... and no colour blindness or anything else.... I far prefer the maths based ones that require an answer :-/

[speedbump101]

Thanks, Alex, for the update. Please let us know if there's any way we can help out.

We can guess Alex' password and do his job while he sleeps.

Victoria

'sleepdeprived'

SB...

[JPH]

When I click on the Bogleheads link in my Favorites menu, I'm logged in automatically. I don't type in my user name and password every time. Is there any increased risk associated with this practice?

[nisiprius]

Except I am always getting the damn things wrong...

Indeed. In my case, I believe it to be partly age-related cognitive deterioration. I sometimes have to request three CAPTCHAs before I get one I can perceive correctly. The method used here at the Bogleheads site is merciful.

But I think it is also because the CAPTCHA developers are losing the arms race against the automated CAPTCHA and the CAPTCHAs are getting harder and harder. And I've heard that there is now a cheap-labor market for CAPTCHA solvers, much as there is for "gold mining" (acquiring resources in on-line multiplayer games and selling them for real money to other players).

I don't think the bad guys are clever enough to do site-specific password guessing, but I would suggest that people avoid passwords that have any relationship to the name of our mentor.

[Alex Frakt]

When I click on the Bogleheads link in my Favorites menu, I'm logged in automatically. I don't type in my user name and password every time. Is there any increased risk associated with this practice?

Not from this. If you choose to autologin, we store a cookie on your computer that tells us your username and that you want to skip the login process, we do not store your actual password on your computer. The only potential security problem is that someone who has direct access to your computer could post under your username or edit your existing posts. They could also see your profile information, but that only gives them your e-mail address which they would presumably be able to get anyway since they are in physical possession of your computer. If they wanted to change your password or e-mail address, they would need to enter your current password regardless of the login setting.

[LynnC]

I have auto log in, also!

Thanks for keeping us posted, Alex. I suddenly realized my passwords aren't very creative! I got a chuckle out of a few of them..

LynnC

[baw703916]

Password

Really??

Really. Probably a common reaction of users to being told "type password." I think it's usually cluelessness plain and simple, not misplaced cleverness.

Must be akin to "Speak friend and enter" from Tolkien.

[Alex Frakt]

What does "CAPTCHA" mean (to lazy to go to google) ?

CAPTCHA is some text written in a jagged way, or partly shaded, or using different fonts and sizes, or some combination of these -- so that a human can read it but text-recognition software would get confused. The human then types what he has read into a box to prove that he is a human.

The most common CAPTCHA tests are the irregular text ones, but they can be anything that tries to distinguish humans from robots (software). I don't like the text CAPTCHAs, so we don't use them on this forum. Instead we ask a simple question and the respondent has to fill in the answer. The bot that is attacking us is pretty unsophisticated, it doesn't even try to answer the question.

[Alex Frakt]

Thanks Alex. We can always depend on you!

Thanks, but the credit should go to Ladygeek and Mel for outlining the problem and Larry for coming up with the filtering solutions. My only job was to report what's going on to everyone.

[Random Musings]

Thanks Alex. We can always depend on you!

Thanks, but the credit should go to Ladygeek and Mel for outlining the problem and Larry for coming up with the filtering solutions. My only job was to report what's going on to everyone.

Like we used to say at our research facility -

"Praise and Honor for the non-participants".

RM

[bourg]

Whew - they didn't try correcthorsebatterystaple.

http://xkcd.com/936/

[retiredjg]

Thanks Alex. We can always depend on you!

Thanks, but the credit should go to Ladygeek and Mel for outlining the problem and Larry for coming up with the filtering solutions. My only job was to report what's going on to everyone.

Ok. Thanks to them too!

[archbish99]

What does "CAPTCHA" mean (to lazy to go to google) ?

CAPTCHA is some text written in a jagged way, or partly shaded, or using different fonts and sizes, or some combination of these -- so that a human can read it but text-recognition software would get confused. The human then types what he has read into a box to prove that he is a human.

The most common CAPTCHA tests are the irregular text ones, but they can be anything that tries to distinguish humans from robots (software). I don't like the text CAPTCHAs, so we don't use them on this forum. Instead we ask a simple question and the respondent has to fill in the answer. The bot that is attacking us is pretty unsophisticated, it doesn't even try to answer the question.

Saw a neat one recently that displayed five symbols and a giant circle, and directed the user to "drag the ____ onto the circle." Completely not compliant with accessibility requirements, but for those who are mouse-capable, a nice differentiator.

I also saw one a few years ago based on the fact that we're biologically wired to identify different species, so it pulled pictures from PetFinder and asked you to sort dogs vs. cats.

[roymeo]

Whew - they didn't try correcthorsebatterystaple.

http://xkcd.com/936/

This was recently referenced in the Economist and someone wrote a letter in later to give xkcd credit for correct horse battery staple.

[LonePrairie]

Thank you for the update, Alex.

[JPH]

I don't think the bad guys are clever enough to do site-specific password guessing, but I would suggest that people avoid passwords that have any relationship to the name of our mentor.

nisiprius, I made this mistake, and my account was hijacked.

[sscritic]

I don't think the bad guys are clever enough to do site-specific password guessing, but I would suggest that people avoid passwords that have any relationship to the name of our mentor.

nisiprius, I made this mistake, and my account was hijacked.

Wow! Who would have guessed that the bad guys would try nisiprius as a common password. That is the mentor of whom you speak, right?